Friday, 30 November 2012

Website Code Injection and How it Affects your Reputation

Cyber crime syndicates are always looking for ways to increase the opportunity to infect more machines with their malware. One way is to increase the lifetime of injections on websites. Usually the life span of injected code on a vulnerable website, depends on how fast the website administrator notices malicious content added to their web pages.

Image 1: The red arrow below shows the difference between the life span of typical malicious injected code and code injected by a rogue Apache module

One tactic used to increase the life span of injected code is to install rogue modules on compromised web servers. These modules hide themselves and the presence of injected code from website administrators. We are seeing an increase in the number and sale of web server rootkit tools which are used to inject and hide malicious code on compromised web servers. Web server administrators are mentioning on forums and blog articles of mysterious iframes with malicious payloads, magically appearing on different websites and constantly changing the injected URL.According to underground forums this type of web server rootkit called “DarkLeach” is an Apache 2 module selling for $1,000. Features of this module include: iFrame injection of php/html/js files, allowing access to module from specific IP addresses, periodic updates of injected URLs.Apart from injecting iFrames, this module ensures a long life span with it’s stealth mode features, including logging the IP addresses of server administrators, going quiet when the admin logs into the server or when someone connects to the server with the logged IPs, disabling the module when a system scanner such as rkhunter or tcpdump are used.The author of the module goes on to show the statistics of how successful this module is when used with exploit kits:

Image 2: Stats from exploit kits showing successful exploits with the help of the Web server Apache rogue module

As you can see this type of attack is widely used and can have a detrimental effect on a companies’ reputation. For instance TradingForex.com was recently affected by a similar attack. FOREX trading website was injected with a malicious Java applet, which could install malware on the affected systems of the site's users. FOREX is the foreign exchange market where international currencies are traded, and nowadays, it's used by millions of people around the world. TradingForex.com provides tools for forex trading online, which users trusted was secure. However after this recent attack, users will think twice about using their services due to the lack of security and the possibility of their system’s being compromised. Ishlangu gives web server administrators piece of mind, by surrounding their websites and web applications with a fortified security perimeter. This provides robust defenses against exploits aimed at vulnerable application frameworks such as Joomla and WordPress which cyber criminals use to compromise web servers and install malicious modules such as DarkLeach.

Ishlangu’s Application Firewall establishes a secure session identifier, proactively secures cookies, URLs, Form Fields and thoroughly inspects all data sent and received by the application; ensuring malicious users do not exploit the stateless nature of HTTP transactions.Protect your websites, your users and most importantly your reputation from attack. Download a free trial of Ishlangu and see for yourself.